
Hello steemians,
In the first part -> Extracting files from the MFT table with Volatility (Part 1), we saw what the MFT table was, how to use Volatility and how to extract resident files (less than 1024 bytes) directly from the MFT table.
We will now see how to extract non-resident files (whose size is greater than 1024 bytes) from a memory dump. For the demonstration I use, as for the previous part, the files of the challenges of the site [Root-Me] (https://www.root-me.org/?lang=en), do not hesitate to register If the hack interests you!
1. MFTParser plugin : Find interesting files
The goal is to find relevant information, which can allow us to solve a problem or follow the tricks of a program, we will not extract any file. In the case of our dump, a grep on "find" allows us to locate an interesting file on the user's desktop.

File path (right) : "Users\info\Desktop\findme"
2. Filescan plugin : Find the physical address of the file
So, we have an interesting file, making more than 1024 bytes so "non-resident", but this one can be stored in memory. To check this and try to retrieve the physical address of the file, we will use the plugin "filescan" with a grep on "find"

We see our file "findme", stored on the desktop of the user and having as physical address "0x000000001ee20110". This information will allow us to extract the file directly from the dump memory.
3. Dumpfiles plugin : Extract file
To extract the file we are interested in, we use the plugin "dumpfiles" by entering the physical address that we have just recovered by the previous step.

Options used:
-Q : Use physical offset
-D : Specify data directory where file will be extracted
-u : Use unsafe mode
-n : Include file name in dump file
-S : Create a summary file, which will contain the extraction information
The file "file.None.0x84e13338.findme.dat" is the file extracted from the dump! Next step, the analysis of it to know what it contains, script, malware, image, etc ...